v3: added opengraph support to the app, wrote README instructions incl. a Docker image

api/config.ts

@@ -1,4 +1,14 @@
 export const PROTOCOL = Deno.env.get("GERBEUR_PROTOCOL") || "http";
 export const HOSTNAME = Deno.env.get("GERBEUR_HOSTNAME") || "localhost";
 export const PORT = Number(Deno.env.get("GERBEUR_PORT")) || 8000;
+// GERBEUR_LISTEN_HOST controls the network interface Oak binds to.
+// Defaults to 0.0.0.0 so Docker port-forwarding works out of the box.
+// Set to 127.0.0.1 to restrict to loopback only.
+export const LISTEN_HOST = Deno.env.get("GERBEUR_LISTEN_HOST") || "0.0.0.0";
 export const BASE_URL = `${PROTOCOL}://${HOSTNAME}:${PORT}`;
+
+const rawOrigins = Deno.env.get("GERBEUR_ALLOWED_ORIGINS") ??
+  "http://localhost:3000";
+export const ALLOWED_ORIGINS: string[] = rawOrigins
+  ? rawOrigins.split(",").map((o) => o.trim()).filter(Boolean)
+  : [];

api/lib/jwt.ts

@@ -8,10 +8,10 @@ import {
   isInvitePayload,
 } from "../model/interfaces.ts";
 
-const jwtSecret = Deno.env.get("JWT_SECRET");
+const jwtSecret = Deno.env.get("GERBEUR_JWT_SECRET");
 if (!jwtSecret) {
   throw new Error(
-    "JWT_SECRET environment variable is required. Generate one with: openssl rand -hex 32",
+    "GERBEUR_JWT_SECRET environment variable is required. Generate one with: openssl rand -hex 32",
   );
 }
 const JWT_KEY = new TextEncoder().encode(jwtSecret);

api/lib/static.ts

@@ -1,10 +1,13 @@
-import { Context, Next } from "@oak/oak";
+import { Context, Next, send } from "@oak/oak";
 
-export default function routeStaticFilesFrom(staticPaths: string[]) {
+export function routeStaticFilesFrom(staticPaths: string[]) {
   return async (context: Context<Record<string, object>>, next: Next) => {
     for (const path of staticPaths) {
       try {
-        await context.send({ root: path, index: "index.html" });
+        await send(context, context.request.url.pathname, {
+          root: path,
+          index: "index.html",
+        });
         return;
       } catch {
         continue;

api/main.ts

@@ -13,16 +13,27 @@ import followsRouter from "./routes/follows.ts";
 import notificationsRouter from "./routes/notifications.ts";
 import invitesRouter from "./routes/invites.ts";
 
-import { BASE_URL, HOSTNAME, PORT } from "./config.ts";
+import { ALLOWED_ORIGINS, BASE_URL, LISTEN_HOST, PORT } from "./config.ts";
 import { errorMiddleware } from "./middleware/error.ts";
-import routeStaticFilesFrom from "./lib/static.ts";
-import { DUMPS_DIR, UPLOADS_DIR } from "./lib/upload.ts";
-import { UUID_RE } from "./lib/slugify.ts";
+import { ogMiddleware } from "./middleware/og.ts";
+import { routeStaticFilesFrom } from "./lib/static.ts";
 
 const app = new Application();
 
+const cors = oakCors({ origin: ALLOWED_ORIGINS });
+
 app.use(errorMiddleware);
-app.use(oakCors());
+app.use(ogMiddleware);
+// Only invoke oakCors when the origin is present and allowed.
+// The library calls next() without await when origin is falsy, which
+// corrupts the response in Oak's async middleware chain.
+app.use(async (ctx, next) => {
+  const origin = ctx.request.headers.get("origin");
+  if (origin && ALLOWED_ORIGINS.includes(origin)) {
+    return await cors(ctx, next);
+  }
+  await next();
+});
 app.use(
   dumpsRouter.routes(),
   dumpsRouter.allowedMethods(),
@@ -82,22 +93,8 @@ app.addEventListener(
   (e) => console.log(`Uncaught error: ${e.message}`),
 );
 
-// Migrate dump files from uploads root to uploads/dumps subfolder
-async function migrateDumpFiles() {
-  await Deno.mkdir(DUMPS_DIR, { recursive: true });
-  for await (const entry of Deno.readDir(UPLOADS_DIR)) {
-    if (entry.isFile && UUID_RE.test(entry.name)) {
-      await Deno.rename(
-        `${UPLOADS_DIR}/${entry.name}`,
-        `${DUMPS_DIR}/${entry.name}`,
-      ).catch(() => {});
-    }
-  }
-}
-
 if (import.meta.main) {
-  await migrateDumpFiles();
-  await app.listen({ hostname: HOSTNAME, port: PORT });
+  await app.listen({ hostname: LISTEN_HOST, port: PORT });
 }
 
 export { app };

api/middleware/auth.ts

@@ -5,6 +5,7 @@ import {
   APIException,
   type AuthPayload,
 } from "../model/interfaces.ts";
+import { getUserById } from "../services/user-service.ts";
 
 export interface AuthContext extends Context {
   state: AuthState;
@@ -32,6 +33,12 @@ export async function authMiddleware(ctx: AuthContext, next: Next) {
     throw new APIException(APIErrorCode.UNAUTHORIZED, 401, "Invalid token");
   }
 
+  try {
+    getUserById(payload.userId);
+  } catch {
+    throw new APIException(APIErrorCode.UNAUTHORIZED, 401, "User not found");
+  }
+
   ctx.state.user = payload;
 
   await next();

api/middleware/og.ts

@@ -0,0 +1,146 @@
+import { Context, Next } from "@oak/oak";
+import { getDump } from "../services/dump-service.ts";
+import { getUserByUsername } from "../services/user-service.ts";
+import { getPlaylistById } from "../services/playlist-service.ts";
+
+interface OGMeta {
+  title: string;
+  description?: string;
+  imageUrl?: string;
+  url: string;
+}
+
+const SITE_NAME = "gerbeur";
+
+function escapeAttr(s: string): string {
+  return s
+    .replace(/&/g, "&")
+    .replace(/"/g, """)
+    .replace(/</g, "&lt;")
+    .replace(/>/g, "&gt;");
+}
+
+function buildTags(meta: OGMeta): string {
+  const card = meta.imageUrl ? "summary_large_image" : "summary";
+  const tags = [
+    `<title>${escapeAttr(meta.title)}</title>`,
+    `<meta property="og:site_name" content="${SITE_NAME}" />`,
+    `<meta property="og:type" content="website" />`,
+    `<meta property="og:url" content="${escapeAttr(meta.url)}" />`,
+    `<meta property="og:title" content="${escapeAttr(meta.title)}" />`,
+    `<meta name="twitter:card" content="${card}" />`,
+  ];
+  if (meta.description) {
+    tags.push(
+      `<meta name="description" content="${escapeAttr(meta.description)}" />`,
+      `<meta property="og:description" content="${
+        escapeAttr(meta.description)
+      }" />`,
+    );
+  }
+  if (meta.imageUrl) {
+    tags.push(
+      `<meta property="og:image" content="${escapeAttr(meta.imageUrl)}" />`,
+    );
+  }
+  return tags.join("\n    ");
+}
+
+function inject(html: string, meta: OGMeta): string {
+  return html
+    .replace(/<title>[^<]*<\/title>/, "")
+    .replace("</head>", `    ${buildTags(meta)}\n  </head>`);
+}
+
+let cachedHtml: string | null | undefined; // undefined = not yet loaded, null = not found
+
+async function loadIndexHtml(): Promise<string | null> {
+  if (cachedHtml !== undefined) return cachedHtml;
+  for (
+    const path of [`${Deno.cwd()}/dist/index.html`, `${Deno.cwd()}/index.html`]
+  ) {
+    try {
+      cachedHtml = await Deno.readTextFile(path);
+      return cachedHtml;
+    } catch {
+      continue;
+    }
+  }
+  cachedHtml = null;
+  return null;
+}
+
+const DUMP_RE = /^\/dumps\/([^/]+)$/;
+const USER_RE = /^\/users\/([^/]+)$/;
+const PLAYLIST_RE = /^\/playlists\/([^/]+)$/;
+
+export async function ogMiddleware(ctx: Context, next: Next) {
+  const { pathname } = ctx.request.url;
+
+  if (pathname.startsWith("/api/") || pathname.includes(".")) {
+    return await next();
+  }
+
+  const origin = ctx.request.url.origin;
+  const pageUrl = `${origin}${pathname}`;
+
+  let meta: OGMeta | null = null;
+
+  const dumpMatch = pathname.match(DUMP_RE);
+  const userMatch = pathname.match(USER_RE);
+  const playlistMatch = pathname.match(PLAYLIST_RE);
+
+  if (dumpMatch) {
+    try {
+      const dump = getDump(dumpMatch[1]);
+      let imageUrl: string | undefined;
+      if (dump.kind === "file" && dump.fileMime?.startsWith("image/")) {
+        imageUrl = `${origin}/api/files/${dump.id}`;
+      } else if (dump.richContent?.thumbnailUrl) {
+        imageUrl = dump.richContent.thumbnailUrl;
+      }
+      meta = {
+        title: dump.title,
+        description: dump.comment,
+        imageUrl,
+        url: pageUrl,
+      };
+    } catch { /* not found or private — serve default */ }
+  } else if (userMatch) {
+    try {
+      const user = getUserByUsername(userMatch[1]);
+      const imageUrl = user.avatarMime
+        ? `${origin}/api/avatars/${user.id}`
+        : undefined;
+      meta = {
+        title: user.username,
+        description: user.description,
+        imageUrl,
+        url: pageUrl,
+      };
+    } catch { /* not found */ }
+  } else if (playlistMatch) {
+    try {
+      const playlist = getPlaylistById(playlistMatch[1]);
+      if (playlist.isPublic) {
+        const imageUrl = playlist.imageMime
+          ? `${origin}/api/playlists/${playlist.id}/image`
+          : undefined;
+        meta = {
+          title: playlist.title,
+          description: playlist.description,
+          imageUrl,
+          url: pageUrl,
+        };
+      }
+    } catch { /* not found or private */ }
+  }
+
+  if (!meta) return await next();
+
+  const html = await loadIndexHtml();
+  if (!html) return await next();
+
+  ctx.response.headers.set("Content-Type", "text/html; charset=utf-8");
+  ctx.response.body = inject(html, meta);
+}

api/model/interfaces.ts

@@ -558,6 +558,10 @@ export interface ErrorMessage {
   message?: string;
 }
 
+export interface ForceLogoutMessage {
+  type: "force_logout";
+}
+
 export type ServerToClientMessage =
   | PingMessage
   | WelcomeMessage
@@ -576,7 +580,8 @@ export type ServerToClientMessage =
   | CommentUpdatedMessage
   | CommentDeletedMessage
   | NotificationCreatedMessage
-  | ErrorMessage;
+  | ErrorMessage
+  | ForceLogoutMessage;
 
 /**
  * Follows

api/routes/ws.ts

@@ -1,4 +1,5 @@
 import { Router } from "@oak/oak";
+import { ALLOWED_ORIGINS } from "../config.ts";
 import { verifyJWT } from "../lib/jwt.ts";
 import {
   broadcastPresence,
@@ -24,8 +25,7 @@ import {
 const router = new Router();
 
 function isAllowedOrigin(origin: string): boolean {
-  if (!origin) return false;
-  return /^https?:\/\/(localhost|127\.0\.0\.1)(:\d+)?$/.test(origin);
+  return ALLOWED_ORIGINS.includes(origin);
 }
 
 router.get("/ws", async (ctx) => {
@@ -45,12 +45,9 @@ router.get("/ws", async (ctx) => {
 
   const socket = ctx.upgrade();
 
-  let avatarMime: string | undefined;
-  if (authPayload) {
-    try {
-      avatarMime = getUserById(authPayload.userId).avatarMime;
-    } catch { /* user not found */ }
-  }
+  const avatarMime = authPayload
+    ? getUserById(authPayload.userId).avatarMime
+    : undefined;
 
   const client: WsClient = {
     socket,

api/services/playlist-service.ts

@@ -34,7 +34,7 @@ const PLAYLIST_SELECT = `p.*, u.username as owner_username,
    (SELECT COUNT(*) FROM playlist_dumps pd WHERE pd.playlist_id = p.id) as dump_count
    FROM playlists p LEFT JOIN users u ON u.id = p.user_id`;
 
-function getPlaylistById(idOrSlug: string): Playlist {
+export function getPlaylistById(idOrSlug: string): Playlist {
   const row = UUID_RE.test(idOrSlug)
     ? db.prepare(`SELECT ${PLAYLIST_SELECT} WHERE p.id = ?;`).get(idOrSlug)
     : db.prepare(`SELECT ${PLAYLIST_SELECT} WHERE p.slug = ?;`).get(idOrSlug);

api/services/providers/self.ts

@@ -0,0 +1,83 @@
+import type { RichContent } from "../../model/interfaces.ts";
+import type { RichContentProvider } from "../rich-content-service.ts";
+import { getDump } from "../dump-service.ts";
+import { getUserByUsername } from "../user-service.ts";
+import { getPlaylistById } from "../playlist-service.ts";
+import { BASE_URL } from "../../config.ts";
+
+const DUMP_RE = /^\/dumps\/([^/]+)$/;
+const USER_RE = /^\/users\/([^/]+)$/;
+const PLAYLIST_RE = /^\/playlists\/([^/]+)$/;
+
+export const selfProvider: RichContentProvider = {
+  name: "self",
+
+  matches(url: string): boolean {
+    try {
+      const { pathname } = new URL(url);
+      return DUMP_RE.test(pathname) ||
+        USER_RE.test(pathname) ||
+        PLAYLIST_RE.test(pathname);
+    } catch {
+      return false;
+    }
+  },
+
+  fetch(url: string): Promise<RichContent> {
+    const { pathname } = new URL(url);
+
+    const dumpMatch = pathname.match(DUMP_RE);
+    if (dumpMatch) {
+      const dump = getDump(dumpMatch[1]);
+      let thumbnailUrl: string | undefined;
+      if (dump.kind === "file" && dump.fileMime?.startsWith("image/")) {
+        thumbnailUrl = `${BASE_URL}/api/files/${dump.id}`;
+      } else if (dump.richContent?.thumbnailUrl) {
+        thumbnailUrl = dump.richContent.thumbnailUrl;
+      }
+      return Promise.resolve({
+        type: "generic",
+        url,
+        siteName: "gerbeur",
+        title: dump.title,
+        description: dump.comment,
+        thumbnailUrl,
+      });
+    }
+
+    const userMatch = pathname.match(USER_RE);
+    if (userMatch) {
+      const user = getUserByUsername(userMatch[1]);
+      const thumbnailUrl = user.avatarMime
+        ? `${BASE_URL}/api/avatars/${user.id}`
+        : undefined;
+      return Promise.resolve({
+        type: "generic",
+        url,
+        siteName: "gerbeur",
+        title: user.username,
+        description: user.description,
+        thumbnailUrl,
+      });
+    }
+
+    const playlistMatch = pathname.match(PLAYLIST_RE);
+    if (playlistMatch) {
+      const playlist = getPlaylistById(playlistMatch[1]);
+      const thumbnailUrl = playlist.imageMime
+        ? `${BASE_URL}/api/playlists/${playlist.id}/image`
+        : undefined;
+      return Promise.resolve({
+        type: "generic",
+        url,
+        siteName: "gerbeur",
+        title: playlist.title,
+        description: playlist.description,
+        thumbnailUrl,
+      });
+    }
+
+    // Should not reach here if matches() is correct
+    return Promise.resolve({ type: "generic", url });
+  },
+};

api/services/rich-content-service.ts

@@ -2,6 +2,7 @@ import type { RichContent } from "../model/interfaces.ts";
 import { youtubeProvider } from "./providers/youtube.ts";
 import { bandcampProvider } from "./providers/bandcamp.ts";
 import { soundcloudProvider } from "./providers/soundcloud.ts";
+import { selfProvider } from "./providers/self.ts";
 import { genericProvider } from "./providers/generic.ts";
 
 export interface RichContentProvider {
@@ -12,12 +13,14 @@ export interface RichContentProvider {
 
 /**
  * Register providers in priority order. The first match wins.
+ * `selfProvider` resolves gerbeur URLs directly from the DB (no HTTP round-trip).
  * `genericProvider` must stay last — it always matches.
  */
 const providers: RichContentProvider[] = [
   youtubeProvider,
   bandcampProvider,
   soundcloudProvider,
+  selfProvider,
   genericProvider,
 ];
 
@@ -86,11 +89,17 @@ function isPrivateHost(hostname: string): boolean {
   return /^(127\.|10\.|172\.(1[6-9]|2\d|3[01])\.|192\.168\.)/.test(hostname);
 }
 
+const SELF_PATH_RE = /^\/(dumps|users|playlists)\/[^/]+$/;
+
 export function isValidHttpUrl(raw: string): boolean {
   try {
     const u = new URL(raw);
     if (u.protocol !== "http:" && u.protocol !== "https:") return false;
-    if (isPrivateHost(u.hostname)) return false;
+    // Allow private hosts for self-referential gerbeur URLs — they are
+    // resolved directly from the DB by selfProvider, no outbound HTTP needed.
+    if (isPrivateHost(u.hostname) && !SELF_PATH_RE.test(u.pathname)) {
+      return false;
+    }
     return true;
   } catch {
     return false;

api/services/user-service.ts

@@ -6,6 +6,7 @@ import {
   type User,
 } from "../model/interfaces.ts";
 import { db, isUserRow, userApiToRow, userRowToApi } from "../model/db.ts";
+import { disconnectUser } from "./ws-service.ts";
 
 import { hashPassword } from "../lib/jwt.ts";
 
@@ -160,6 +161,8 @@ export function updateUserAvatar(userId: string, mime: string): void {
 }
 
 export function deleteUser(userId: string): void {
+  disconnectUser(userId);
+
   const result = db.prepare(
     `DELETE FROM users WHERE id = ?;`,
   ).run(userId);

api/services/ws-service.ts

@@ -66,6 +66,15 @@ export function sendToUser(userId: string, data: ServerToClientMessage): void {
   }
 }
 
+export function disconnectUser(userId: string): void {
+  for (const client of clients) {
+    if (client.userId === userId) {
+      send(client.socket, { type: "force_logout" });
+      client.socket.close(1000, "Account deleted");
+    }
+  }
+}
+
 export function broadcastPresence(): void {
   const users = getOnlineUsers();
   for (const client of clients) {

api/sql/init.ts

@@ -0,0 +1,15 @@
+import { DatabaseSync } from "node:sqlite";
+
+const DB_FILE = "api/sql/gerbeur.db";
+
+try {
+  await Deno.stat(DB_FILE);
+  console.log("Database already exists, skipping initialization.");
+} catch {
+  console.log("Initializing database from schema...");
+  const schema = Deno.readTextFileSync("api/sql/schema.sql");
+  const db = new DatabaseSync(DB_FILE);
+  db.exec(schema);
+  db.close();
+  console.log("Database initialized.");
+}